b'           Audit Report\n\n\n\n\nAUDIT REPORT\nINFORMATION TECHNOLOGY: United States Department of the\nTreasury\xe2\x80\x99s Compliance with Section 522 of the Consolidated\nAppropriations Act of 2005 (OIG-09-014)\n\nDecember 3, 2008\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                        DEPARTMENT OF THE TREASURY\n                                              W ASHINGTON, D.C. 20220\n\n                                                  December 3, 2008\n     OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR PETER B. MCCARTHY\n                           ASSISTANT SECRETARY FOR MANAGEMENT AND\n                              CHIEF FINANCIAL OFFICER\n\n                                     ELIZABETH CUFFE\n                                     DEPUTY ASSISTANT SECRETARY FOR PRIVACY AND\n                                        TREASURY RECORDS\n\n            FROM:                    Joel Grover /s/\n                                     Deputy Assistant Inspector General for Financial Management\n                                     and IT Audits\n\n            SUBJECT:                 Audit Report \xe2\x80\x93 United States Department of the Treasury\xe2\x80\x99s\n                                     Compliance with Section 522 of the Consolidated\n                                     Appropriations Act of 2005\n\n\n            The attached report presents the results of our audit of the United States Department\n            of the Treasury\xe2\x80\x99s (Treasury) compliance with Section 522 of the Consolidated\n            Appropriations Act of 2005, as amended (Section 522) and Office of Management and\n            Budget (OMB) Memorandum 07-16 (M-07-016), Safeguarding Against and Responding\n            to the Breach of Personally Identifiable Information. To meet the Section 522\n            requirement for a periodic Inspector General audit of the agency\xe2\x80\x99s privacy program, we\n            contracted with KPMG LLP, an independent certified public accounting firm. This audit\n            includes the Treasury and its bureaus with the exception of the Internal Revenue\n            Service (IRS). The Treasury Inspector General for Tax Administration (TIGTA)\n            performed an assessment of M-07-016 compliance at the IRS as part of its annual\n            FISMA evaluation 1 .\n\n            Based on the results reported by KPMG, we determined that Treasury did not fully\n            comply with Section 522 and did not comply with M-07-016. Specifically, KPMG\n            reported that (1) annual congressional reporting requirements were not met, (2)\n\n\n\n            1\n              TIGTA\xe2\x80\x99s annual IRS FISMA evaluation results (Audit #200820024) were included as Attachment 2 to\n            the OIG report INFORMATION TECHNOLOGY: Federal Information Security Management Act Fiscal Year\n            2008 Performance Audit (OIG-08-046) dated September 26, 2008\n\x0cPage 2\n\n\nreporting requirements to the OIG were not met, and (3) policies and procedures\nrequired by Section 522 and OMB Memorandum 07-16 were still in draft.\n\nIf you have questions or require further information, you may contact me at (202)\n927-5768, or Tram Dang at (202) 927-5171.\n\n\nAttachment\n\x0c            ATTACHMENT\n\nUnited States Department of the Treasury\xe2\x80\x99s\n    Compliance with Section 522 of the\n Consolidated Appropriations Act of 2005\n            December 2, 2008\n\x0cUnited States Department of the Treasury\xe2\x80\x99s\nCompliance with Section 522 of the Consolidated\nAppropriations Act of 2005\n\n\n\n\n          Prepared for the United States Department of the Treasury\n                                     Office of the Inspector General\n\n                                           Prepared by KPMG LLP\n\n\n\n                                               December 2, 2008\n\x0c                                                     TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY .......................................................................................................................... 1\nBACKGROUND .......................................................................................................................................... 4\nOBJECTIVE, SCOPE, AND METHODOLOGY ........................................................................................ 7\nRESULTS ..................................................................................................................................................... 9\nCONCLUSION........................................................................................................................................... 11\nMANAGEMENT RESPONSE TO REPORT ............................................................................................ 12\nAPPENDIX I \xe2\x80\x93 ACRONYM LIST............................................................................................................ I-1\n\x0c                                   KPMG LLP\n                                   2001 M Street, NW\n                                   Washington, DC 20036\n\n\n\nEXECUTIVE SUMMARY\n\nDecember 2, 2008\n\nJoel Grover\nDeputy Assistant Inspector General for Financial Management and Information Technology Audits\nUnited States Department of the Treasury\n740 15th Street NW, Suite 600\nWashington, DC 20220\n\nDear Mr. Grover:\n\nThis report presents the results of our audit of the United States Department of the Treasury\xe2\x80\x99s (Treasury)\nnon-Internal Revenue Service (IRS) privacy data protection program and practices, as required by Section\n522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act,\n2005, Public Law 108-447, as amended, (hereinafter referred to as Section 522). Section 522 requires the\nfollowing:\n\n      1. Appoint a Chief Privacy Officer (CPO) to assume primary responsibility for privacy and data\n         protection policy.\n      2. Establish privacy and data protection procedures and policies.\n      3. Prepare a written report of the use of information in an identifiable form (IIF) and privacy and\n         data protection procedures to be recorded with the Inspector General (IG) to serve as a\n         benchmark for the agency.\n      4. Perform an independent, third-party review of the use of IIF.\n\n      Additionally, Section 522 requires that the agency\xe2\x80\x99s IG perform a periodic assessment of the\n      implementation of this section. The agency IG shall report the results to the Committee on\n      Appropriations of the House and Senate, the House Committee on Oversight and Government\n      Reform, and the Senate Committee on Homeland Security and Government Affairs1.\n\nAgencies were required to be compliant with Section 522 by December 8, 2005.\n\nThe Treasury Office of the Inspector General (OIG) contracted with KPMG LLP (KPMG) to conduct a\nperformance audit of the Treasury\xe2\x80\x99s privacy program pursuant to Section 522 and Office of Management\nand Budget (OMB) Memorandum 07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information. We conducted this performance audit in accordance with the\nstandards applicable to such audits contained in Generally Accepted Government Auditing Standards\n(GAGAS), issued by the Comptroller General of the United States. These standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\nThe objective of our performance audit was to determine the effectiveness of Treasury\xe2\x80\x99s privacy and data\nprotection programs and practices in complying with Section 522 and OMB Memorandum 07-16. The\n\n1\n    As amended in Section 742 of the Consolidated Appropriations Act, 2008, Public Law 110-161.\n                                                                                                   Page 1\n\x0cscope of our performance audit included reviewing program effectiveness from both a (1) top-down\ndepartment-level perspective to assess overall program management capabilities in developing and\nimplementing privacy requirements to be carried out by bureaus, and (2) bottom-up non-IRS Treasury\nbureau-level perspective to assess the effectiveness of privacy programs implemented by bureaus for\nTreasury-specific functions and applications.\n\nDuring our performance audit to determine compliance with Section 522 and OMB Memorandum 07-16,\nwe determined that Treasury did not fully comply with Section 522 and did not comply with OMB\nMemorandum 07-16. Specifically, we found that (1) annual congressional reporting requirements were\nnot met, (2) reporting requirements to the OIG were not met, and (3) policies and procedures required by\nSection 522 and OMB Memorandum 07-16 were still in draft. Treasury should ensure that its privacy and\ndata protection program and practices comply with Section 522 and OMB Memorandum 07-16. Specific\nareas include:\n\n    1. Annual Congressional Reporting Requirements Were Not Met. The Treasury has not prepared\n       and submitted an annual report to Congress on activities that affect privacy, including complaints\n       of privacy violations, implementation of Section 522a of Title 5, 11 United States Code, internal\n       controls, and other relevant matters.\n\n    2. Reporting Requirements to the OIG Were Not Met. The Treasury did not record with the OIG\n       a written report on the use of IIF, as well as its privacy and data protection policies and\n       procedures.\n\n    3. Policies and Procedures Required by Section 522 and OMB Memorandum 07-16 Were in\n       Draft. Two (2) Treasury directives and policies related to the collection, use, sharing, disclosure,\n       transfer, and storage of personally identifiable information (PII) were still in draft.\n\nWhile several of Treasury\xe2\x80\x99s policies and procedures required by Section 522 and OMB Memorandum 07-\n16 were in draft at the conclusion of fieldwork, the majority of non-IRS bureaus have begun to adopt\nthem2. Specifically, each of the 12 non-IRS bureaus had begun performing privacy impact assessments\n(PIAs) on information systems. In addition, bureaus have begun to provide training on the responsibilities\nof individuals authorized to access PII. Lastly, through our limited procedures, we noted that Treasury is\nadequately protecting PII on public Internet sites, intranet sites, and general support systems 3.\n\nOverall, we determined that Treasury did not fully comply with Section 522 and did not comply with\nOMB Memorandum 07-16. We are reporting exceptions with the extent policies and reporting\nrequirements required by Section 522 and OMB Memorandum 07-16 were not finalized. All of our\nfindings are included in the results section of this report, which warrants management attention and\ncorrective action.\n\nThis performance audit did not constitute an audit of financial statements in accordance with Government\nAuditing Standards. KPMG was not engaged to, and did not, render an opinion on Treasury\xe2\x80\x99s internal\ncontrols over financial reporting or over financial management systems (for purposes of OMB Circular\nNumber. A-127, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that\n\n2\n  An assessment of the IRS\xe2\x80\x99s compliance with the provisions of Section 522 and OMB Memorandum 07-16 was\nperformed by Treasury Inspector General for Tax Administration (TIGTA) as part of its annual independent Federal\nInformation Security Management Act evaluation. See Department of the Treasury \xe2\x80\x93 OIG Audit Report OIG-08-\n046 \xe2\x80\x93 Attachment 2.\n3\n  Our limited procedures included manual inspections of the all Treasury publicly available Internet Web sites, four\n(4) judgmentally selected intranets, and one (1) judgmentally selected general support system.\n                                                                                                             Page 2\n\x0cprojecting the results of our evaluation to future periods is subject to the risk that controls may become\ninadequate because of changes in conditions or because compliance with controls may deteriorate.\n\nSincerely,\n\n\n\n\n                                                                                                   Page 3\n\x0cBACKGROUND\n\nEnacted in December 2004, Section 522 directs agencies, including Treasury, to implement a number of\nmeasures to protect IIF. Such measures require that agencies:\n\n1. Appoint a CPO to assume primary responsibility for agency privacy and data protection policy.\n   Specifically, Section 522 requires that the CPO:\n\n       a. Assure that the use of technologies sustain, and do not erode, privacy protection related to the\n          use, collection, and disclosure of IIF;\n\n       b. Assure that technologies used to collect, use, store, and disclose IIF allow for continuous\n          auditing of compliance with stated privacy policies and practices governing the collection, use,\n          and distribution of information in the operation of the program;\n\n       c. Assure that personal information contained in Privacy Act systems of records is handled in full\n          compliance with fair information practices as defined in the Privacy Act of 1974;\n\n       d. Evaluate legislative and regulatory proposals involving collection, use, and disclosure of\n          personal information by the Federal Government;\n\n       e. Conduct a privacy impact assessment of proposed rules of the Department on the privacy of\n          IIF, including the type of PII collected and the number of people affected;\n\n       f.   Prepare a report to Congress on an annual basis on activities of the Department that affect\n            privacy, including complaints of privacy violations, implementation of section 552a of title 5,\n            11 United States Code, internal controls, and other relevant matters;\n\n       g. Ensure that the Department protects information in an identifiable form and information\n          systems from unauthorized access, use, disclosure, disruption, modification, or destruction;\n\n       h. Train and educate employees on privacy and data protection policies to promote awareness of\n          and compliance with established privacy and data protection policies;\n\n       i.   Ensure compliance with the Departments established privacy and data protection policies.\n\n2. Establish and implement comprehensive privacy and data protection procedures governing the\n   collection, use, sharing, disclosure, transfer, storage, and security of IIF relating to agency employees\n   and the public. Such procedures are to be consistent with legal and regulatory guidance, including\n   OMB regulations, the Privacy Act of 1974, and section 208 of the E-Government Act of 2002.\n\n3. Perform an independent, third party review of the use of IIF.\n\n4. Prepare a written report, signed by the CPO that provides a benchmark for the agency\xe2\x80\x99s privacy\n   program and describes the agency\xe2\x80\x99s use of IIF, along with its privacy and data protection policies and\n   procedures. The report is to be recorded with the agency IG.\n\n5. The agency\xe2\x80\x99s IG perform a periodic assessment of the implementation of Section 522. Section 522\n   further requires that the agency IG shall report the results to the Committee on Appropriations of the\n\n\n                                                                                                     Page 4\n\x0c      House and Senate, the House Committee on Oversight and Government Reform, and the Senate\n      Committee on Homeland Security and Government Affairs4.\n\nOMB issued Memorandum 07-16 on May 22, 2007, which requires agencies to develop and implement\nnotification policies for the breach of PII. Agencies were required to implement these breach notification\npolicies by September 22, 2007. OMB Memorandum 07-16 required that the policies include existing and\nnew requirements for internal incident handling and reporting, external breach notification, and the\ndevelopment of policies regarding the responsibilities of individuals authorized to access PII.\n\nTreasury Mission and Organization\n\nThe Treasury operates and maintains systems that collect, process, store, and distribute mission-critical\ninformation, such as taxpayer and bank data, in support of Treasury functions critical to the nation\xe2\x80\x99s\nfinancial infrastructure. These functions included the production of coin and currency, the disbursement\nof payments to the American public, revenue collection, and the borrowing of funds necessary to run the\nFederal Government. Management and performance accountability of these functions and systems are\noverseen by the Treasury\xe2\x80\x99s 13 operating bureaus and offices, including:\n\n\xe2\x80\xa2     Alcohol and Tobacco Tax and Trade Bureau \xe2\x80\x93 Responsible for enforcing and administering laws\n      covering the production, use, and distribution of alcohol and tobacco products. The Alcohol and\n      Tobacco Tax and Trade Bureau also collects excise taxes for firearms and ammunition.\n\xe2\x80\xa2     Bureau of Engraving and Printing \xe2\x80\x93 Designs and manufactures U.S. (paper) currency, many\n      stamps, securities, and other official certificates and awards.\n\xe2\x80\xa2     Bureau of the Public Debt \xe2\x80\x93 Borrows the money needed to operate the Federal Government. It\n      administers the public debt by issuing and servicing U.S. Treasury marketable, savings, and special\n      securities.\n\xe2\x80\xa2     Community Development Financial Institution Fund \xe2\x80\x93 Created to expand the availability of credit,\n      investment capital, and financial services in distressed urban and rural communities.\n\xe2\x80\xa2     Departmental Offices \xe2\x80\x93 Primarily responsible for policy formulation. The Departmental Offices are\n      composed of divisions headed by Assistant Secretaries, some of whom report to Under Secretaries.\n\xe2\x80\xa2     Financial Crimes Enforcement Network \xe2\x80\x93 Supports law enforcement investigative efforts and\n      fosters interagency and global cooperation against domestic and international financial crimes. It also\n      provides U.S. policy makers with strategic analyses of domestic and worldwide trends and patterns.\n\xe2\x80\xa2     Financial Management Service \xe2\x80\x93 Receives and disburses all public monies, maintains government\n      accounts, and prepares daily and monthly reports on the status of government finances.\n\xe2\x80\xa2     IRS \xe2\x80\x93 Responsible for determining, assessing, and collecting internal revenue in the United States.\n\xe2\x80\xa2     Office of the Comptroller of the Currency \xe2\x80\x93 Charters, regulates, and supervises national banks to\n      ensure a safe, sound, and competitive banking system that supports the citizens, communities, and\n      economy of the United States.\n\xe2\x80\xa2     OIG \xe2\x80\x93 Conducts and supervises audits and investigations of Treasury programs and operations. The\n      OIG also keeps the Secretary and the Congress fully and currently informed about problems, abuses,\n      and deficiencies in Treasury programs and operations.\n\xe2\x80\xa2     Office of Thrift Supervision \xe2\x80\x93 The primary regulator of all Federal and many state-chartered thrift\n      institutions, which include savings banks and savings and loan associations.\n\xe2\x80\xa2     United States Mint \xe2\x80\x93 Designs and manufactures domestic, bullion, and foreign coins as well as\n      commemorative medals and other numismatic items. The Mint also distributes United States coins to\n      the Federal Reserve banks as well as maintains physical custody and protection of our nation\xe2\x80\x99s silver\n      and gold assets.\n\n4\n    As amended in Section 742 of the Consolidated Appropriations Act, 2008, Public Law 110-161.\n                                                                                                      Page 5\n\x0c\xe2\x80\xa2     TIGTA \xe2\x80\x93 Conducts and supervises audits and investigations of IRS programs and operations. The\n      TIGTA also keeps the Secretary and the Congress fully and currently informed about problems,\n      abuses, and deficiencies in IRS programs and operations.\n\nTreasury Privacy and Data Protection Program\n\nTreasury established a department wide privacy program to protect the PII it manages from unauthorized\nuse, access, disclosure, or sharing and to safeguard associated information systems from unauthorized\naccess, modification, disruption, or destruction. Key components of the Treasury\xe2\x80\x99s privacy program\ninclude, but are not limited to, the:\n\n\xe2\x80\xa2 Assistant Secretary for Management/Chief Financial Officer designated as the CPO and Senior\n  Agency Official for Privacy with overall responsibilities for the program in March of 2005.\n\xe2\x80\xa2 Office of Privacy and Treasury Records (OPTR) was established on March 24, 2008 as the program\n  management office that supports the Treasury CPO in developing and implementing privacy\n  requirements including policies and procedures for managing and protecting PII. OPTR also provides\n  privacy and data protection programs oversight of all Treasury bureaus and offices in carrying out\n  directives and policies developed by OPTR. Additionally, OPTR is responsible for establishing a\n  privacy awareness program disseminated to bureaus regarding Treasury employee privacy\n  responsibilities. Prior to this date, the Office of the Chief Information Officer (OCIO) held these\n  responsibilities. OPTR includes the Office of Privacy and Civil Liberties, Office of Disclosure\n  Services, Treasury Records, Treasury Library, and the Orders and Directives Program.\n\xe2\x80\xa2 Each of the 13 Treasury bureaus has also established a bureau privacy officer5. The role of the bureau\n  privacy officer is to act as a liaison between the bureau\xe2\x80\x99s system owners and the OPTR and the CPO\n  to ensure that privacy and data protection programs are operating effectively at the bureau level. This\n  includes performance of Privacy Threshold Analysis and PIAs on all information systems. Bureau\n  privacy officers work with the system owners to analyze the data being processed in the system and\n  make a determination if the data contains PII.\n\n\n\n\n5\n    This report excludes privacy and data protection programs at IRS.\n                                                                                                  Page 6\n\x0cOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine the effectiveness of Treasury\xe2\x80\x99s privacy and data protection\nprograms and practices in complying with Section 522 and OMB Memorandum 07-16. The scope of our\naudit included reviewing program effectiveness from both a (1) top-down department level perspective to\nassess overall program management capabilities in developing and implementing privacy requirements to\nbe carried out by bureaus, and (2) bottom-up non-IRS Treasury bureau-level perspective to assess the\neffectiveness of privacy programs implemented by bureaus for Treasury-specific functions and\napplications.\n\nTo accomplish our objectives, KPMG conducted interviews with appropriate Treasury officials from\nOPTR and bureau-level officials to obtain an understanding of each area within the scope of the audit.\nFurther, we reviewed Treasury policy, directives, and guidelines relative to privacy and data protection,\nselected documentation applicable to bureau-level activities performed including PIAs, and performed\nprocedures to identify the presence of PII on publicly accessible Internet sites, internal intranet sites, and\none (1) general support system.\n\nTop-down Department Level Review\n\nTo determine Treasury effectiveness in establishing a privacy program for implementing privacy\nrequirements, KPMG reviewed privacy program management capabilities established to support the\nTreasury CPO in developing and implementing privacy requirements. This included reviewing policies\ndirectives and procedures for managing and protecting PII, a process for identifying PII in applications,\nand procedures for conducting PIAs of applications and systems containing PII. KPMG also reviewed\nroles, responsibilities, and the effectiveness of oversight capabilities at the department level in managing\nand directing the privacy program activities performed by Treasury bureaus, and development of a\nprivacy awareness program.\n\nBottom-up Bureau Level Review\n\nTo determine effectiveness of privacy requirements carried out by Treasury bureaus from departmental\ndirection provided, KPMG reviewed privacy activities performed by non-IRS Treasury bureaus for\nspecific functions and applications, through a representative subset of 23 information systems. Our review\nincluded an assessment of the effectiveness of privacy threshold analysis and PIAs performed on\ninformation systems in analyzing systems for PII. Our test work also included limited procedures to\ndetermine the presence of PII on the Treasury publicly accessible Internet, intranet, and on one (1) general\nsupport system.\n\nOther Considerations\n\nKPMG performed this performance audit at Treasury\xe2\x80\x99s headquarters offices in Washington, DC and\nbureau locations in Washington, DC, Hyattsville, MD, McLean, VA, and Parkersburg, WV during the\nperiod of May through September 2008. Throughout the audit, we met with Treasury management to\ndiscuss our preliminary conclusions.\n\nThe Treasury OIG contracted with KPMG to audit Treasury\xe2\x80\x99s compliance with Section 522 and OMB\nMemorandum 07-16, and report on the effectiveness of Treasury\xe2\x80\x99s privacy and data protection program.\nKPMG conducted this performance audit in accordance with GAGAS issued by the Comptroller General\nof the United States. These standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\n\n\n                                                                                                       Page 7\n\x0cobjectives. We believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nApplicable Criteria\n\nKPMG\xe2\x80\x99s criteria for this performance audit are based on Federal privacy and data protection criteria\nestablished by Law and OMB.\n\n\xe2\x80\xa2   Section 522, Division H of the Consolidated Appropriations Act, 2005\n\xe2\x80\xa2   OMB Memorandum 08-21, FY 2008 Reporting Instructions for the Federal Information Security\n    Management Act and Agency Privacy Management\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally\n    Identifiable Information\n\n\n\n\n                                                                                             Page 8\n\x0cRESULTS\n\nDuring our performance audit to determine compliance with Section 522 and OMB Memorandum 07-16,\nwe determined that Treasury did not fully comply with Section 522 and did not comply with OMB\nMemorandum 07-16. Specifically, we found that (1) annual congressional reporting requirements were\nnot met, (2) reporting requirements to the OIG were not met, and (3) policies and procedures required by\nSection 522 and OMB Memorandum 07-16 were not finalized. Treasury should ensure that its privacy\nand data protection program and practices fully comply with applicable Congressional and OMB\nrequirements.\n\nFINDINGS\n\n   1. Annual Congressional Reporting Requirements Have Not Been Met.\n\n       Treasury has not prepared and submitted any annual reports to Congress on activities that affect\n       privacy, including complaints of privacy violations; implementation of Section 552a of Title 5, 11\n       United States Code; internal controls; and other relevant matters.\n\n       According to OPTR management, from December 8, 2004 to March 23, 2008, the OCIO held the\n       responsibility for privacy and data protection, but due to limited resources the OCIO did not\n       prepare and submit the annual report to Congress on activities affecting privacy. Since March 24,\n       2008, OPTR had the responsibility to develop the annual report to Congress on activities\n       affecting privacy, but due to competing priorities, the annual reports have not been prepared and\n       submitted.\n\n       By not submitting the report on an annual basis, Treasury is not in compliance with Section 522,\n       and Congress may not be aware of the current state of the agency\xe2\x80\x99s privacy-related activities. This\n       could result in the inability to dedicate adequate resources to the protection of IIF.\n\n       We recommend that OPTR management:\n\n       1. Prepare a report to Congress on an annual basis on activities of the Treasury that affect\n          privacy, including complaints of privacy violations; implementation of Section 552a of Title\n          5, 11 United States Code; internal controls; and other relevant matters.\n\n   2. Reporting Requirements to the OIG Were Not Met.\n\n       Treasury did not record with the OIG a written report on the use of IIF, as well as its privacy and\n       data protection policies and procedures.\n\n       According to OPTR management, from December 8, 2004 to March 23, 2008, the OCIO held the\n       responsibility for privacy and data protection, but due to limited resources the OCIO did not\n       prepare and submit the report to the OIG on the use of IIF. Since March 24, 2008, OPTR had the\n       responsibility to submit the report to the OIG on the use of IIF, but due to competing priorities,\n       the reports have not been prepared and submitted.\n\n       By not recording a report on the use of IIF, as well as the privacy and data protection policies and\n       procedures with the OIG, the Treasury is not in compliance with Section 522. Furthermore,\n       Treasury does not have a benchmark on its use of IIF, along with privacy and data protection\n       policies and procedures.\n\n\n                                                                                                    Page 9\n\x0c  We recommend that OPTR management:\n\n  2. Record a formal written report on the use of IIF, as well as privacy and data protection\n     policies and procedures with the OIG.\n\n3. Policies and Procedures Required by Section 522 and OMB Memorandum 07-16 Are in\n   Draft\n\n  Section 522 of the Consolidated Appropriations Act, 2005, issued on December 8, 2004, required\n  agencies to develop policies and procedures for privacy and data protection within one (1) year of\n  the law being signed. In addition, OMB Memorandum 07-16, issued on May 22, 2007, required\n  that policies be developed for the PII breach notifications. OMB Memorandum 07-16 required\n  that these policies and procedures be issued within 120 days after the date of the memorandum,\n  September 22, 2007. To date, Treasury has only finalized Treasury Directive (TD) 25-07 Privacy\n  Impact Assessment, dated August 6, 2008, and TD 25-09 Privacy and Civil Liberties Activities\n  Pursuant to Section 803 of The Implementing Recommendation of the 9/11 Commission Act of\n  2007, P.L. 110.53, dated September 3, 2008. However, Treasury Directive Publication 25-07\n  Privacy Impact Assessment Manual and TD 25-08 Personally Identifiable Information (PII)\n  Protection, Breach Response, and Notification are still in draft.\n\n  According to OPTR management, from December 8, 2004 to March 23, 2008, the OCIO held the\n  responsibility for privacy and data protection functions under Section 522. The OCIO had\n  developed directives and policies in accordance with Section 522 and OMB Memorandum 07-16;\n  however, the clearance process was delayed citing limited resources to complete the process and\n  pending the creation of OPTR. Since its creation on March 24, 2008, OPTR has assumed the\n  responsibility to review and update the content of these directives and policies and continue the\n  formal clearance process.\n\n   Without formal directives and policies related to the collection, use, sharing, disclosure, transfer,\n   and storage of PII in place at the Treasury, IIF may not be adequately protected. However, the\n   majority of non-IRS bureaus have begun to adopt all draft policies and procedures. Specifically,\n   each of the 12 non-IRS bureaus had begun performing PIAs on information systems. In addition,\n   bureaus have begun to provide training on the responsibilities of individuals authorized to access\n   PII. Lastly, through our limited procedures, we noted that Treasury is adequately protecting PII\n   on public Internet sites, intranet sites, and general support systems.\n\n   We recommend that OPTR management:\n\n  3. Finalize all of the directives and policies related to the collection, use, sharing, disclosure,\n     transfer, and storage of PII identified above.\n\n\n\n\n                                                                                                 Page 10\n\x0cCONCLUSION\n\nWe assessed Treasury for compliance with Section 522 and OMB Memorandum 07-16. Overall, we\ndetermined that Treasury did not fully comply with Section 522 and did not comply with OMB\nMemorandum 07-16. We are reporting exceptions with the extent policies, and reporting requirements\nrequired by Section 522 and OMB Memorandum 07-16 were not implemented. All of our findings are\nincluded in the results section of this report, which warrants management attention and corrective action.\n\n\n\n\n                                                                                                  Page 11\n\x0cMANAGEMENT RESPONSE TO REPORT\n\n\n\n\n                                Page 12\n\x0cAPPENDIX I \xe2\x80\x93 ACRONYM LIST\nAcronym    Definition\nCPO        Chief Privacy Officer\nGAGAS      Generally Accepted Government Auditing Standards\nIG         Inspector General\nIIF        Information in an Identifiable Form\nIRS        Internal Revenue Service\nKPMG       KPMG LLP\nOCIO       Office of the Chief Information Officer\nOMB        Office of Management and Budget\nOIG        Office of the Inspector General\nOPTR       Office of Privacy and Treasury Records\nPIA        Privacy Impact Assessment\nPII        Personally Identifiable Information\nTD         Treasury Directive\nTIGTA      Treasury Inspector General for Tax Administration\nTreasury   United States Department of the Treasury\n\n\n\n\n                                                               Page I-1\n\x0c'